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Amendments to the Claims 

1 . (currently amended) A system for analyzing network traffic to use in 
performing network and security assessments by listening on a subject network, 

5 interpreting events, and taking action, comprising; 
a policy specification file; 

a network monitor processor for proc e ss ing that processes network packet 
data collected from said subject network; and 

a policy monitoring component for r e c ei ving and proc e ssing that receives and 
10 processes said policy specification file[[,]] and that receives and processes r e c e iving 
an d proc e ssing said processed network packet data to assign by assigning 
dispositions to network events contained in said network packet data , wherein said 
policy monitoring component further comprises; 

a parser that parses said policy specification file; and 
15 a policy engine that synthesizes said parsed policy specification file and 

said processed network packet data and bv comparing, said processed network 
packet data against said parsed policy specification ftle. assigns associated 
dispositions and level of severity to said network events contained in said network 
packet data wherein each of a Plurality of network events that can occur in said 
20 subject network has an associated disposition , 

2. (currently amended) The system of Claim 1, said policy monitoring component 
further comprising: 

a parser for parsing said petiey-spec ification fil e ; 
25 a policy e ngin e for synth e sizing s aid pars e d po li cy sp e cification fi le and said 

proc e ss e d n e twork packet data, and for perform i ng said assign disposit i ons and 
lovol of s e v e rity to sa i d-no tw ork e v e nts conta i ned in said network pocket data; and 

a logger for logging and storing into an events database said synthesized 
information by said policy engine according to a logging policy file, 

30 

3. (original) The system of Claim 2, further comprising: 

a query mechanism for mining said stored data in said events database. 

4. (original) The system of Claim 2, further comprising: 

35 an alarm script component for generating" alarms based on said level of 

severity of said network events. 
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5, (original) 
engine: 



The system of Claim 2, further comprising means for said policy 



10 



15 



.20 



25 



30 



interpreting each protocol event; and 

consulting said policy specification file as each protocol event is interpreted to 
ensure that an earliest determination of said disposition is reached. 

6. (original) The system of Claim 1, wherein said collected network packet data 
is captured in a file or is streams-based. 

7. (original) The system of Claim 1 , further comprising: 

a secure Web server comprising a Web server component and a report 
database for displaying reports online, said reports generated by said events 
database using a report script. 

8. (original) The system of Claim 1 , further comprising: 

a parser for generating an English description policy representation from said 
policy specification file. 

9. (original) The system of Claim 1, wherein said network monitor processor is 
used in standalone mode. 

10. (original) The system of Claim 1, wherein said network monitor processor 
and said policy monitoring component run on a same machine. 

1 1 . (original) The system of Claim 1 , further comprising: 

a policy generator for generating said policy specification file. 

12. (original) The system of Claim 1, wherein said received network packet data 
is encoded, 

13. (currently amended) A method for analyzing network traffic to use in 
performing network and security assessments by listening on a subject network, 
interpreting events, and taking action, said method comprising: 

providing a policy specification file; 

providing, a network monitor processor for prococcing that processes network 
packet data collected from said subject network; and 

providing a policy monitoring component for-reo e Mng and proocooing that 
receives and processes said policy specification file[[,J] and that receives and 
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processes r e c e iving and proc e ss i ng said processed network packet data to as s ign 
by assigning dispositions to network events contained in said network packet data A 
wherein said policy monitoring component further comprises: 
a parser that parses said policy specification file; and 

5 a policy engine that_svnthesizes said parsed policy specification file and 

said processed network packet data and bv comparing said processed network 
packet data against said parsed policy specification file, assigns associated 
dispositions and level of severity to said network events contained in said network 
packet data wherein each of a plurality of network events that can occur in said 

10 subject network has an associated disposition . 

14. (currently amended) The method of Claim 13, said provided policy 
monitoring component further comprising: 

prov i ding a p a rs e r for parsing sa i d pol i cy s peo ifioatiofrflte^ 
15 prov i ding a policy e ngine for synth e sizing said - pQFsed -po iioy spooifioatioM il e 

and s a i d proc es s e d n e twork paok e t data, and for p e rform i ng - said a ss ign d is po si t i on s 
aftcMave l of se v e rity to said n e twork e v e nts contain e d i n sa i d - network - pack e t - data; 

providing a logger for logging and storing into an events database said 
20 synthesized information by said policy engine according to a logging policy file. 

15. (original) The method of Claim 14, further comprising; 

providing a query mechanism for mining said stored data in said events 
database. 

25 

16. (original) The method of Claim 14, further comprising: 

providing an alarm script component for generating alarms based on said 
level of severity of said network events. 

30 17: (original) The method of Claim 14, further comprising said policy engine: 
interpreting each protocol event; and 

consulting said policy specification file as each protocol event is interpreted to 
ensure that an earliest determination of said disposition is reached. 

35 18. (original) The method of Claim 13, wherein said collected network packet 
data is captured in a file or is streams-based. 

1 9. (original) The method of Claim 1 3, further comprising: 
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providing a secure Web server comprising a Web server component and a 
report database for displaying reports online, said reports generated by said events 
database using a report script. 

5 20. (original) The method of Claim 13, further comprising: 

providing a parser for generating an English description policy representation 
from said policy specification file. 

21. (original) The method of Claim 13, wherein said network monitor processor is 
10 used in standalone mode. 

22. (original) The method of Claim 13, wherein said network monitor processor 
and said policy monitoring component run on a same machine. 

15 23. (original) The method of Claim 13, further comprising: 

providing a policy generator for generating said policy specification file. 

24. (original) The method of Claim 13, wherein said received network packet 
data is encoded. 

20 

25. (currently amended) A method for iteratively developing network security 
policy for a network, comprising: 

creating an initial network security policy file; 

ensuring said initial network security policy file is uploaded to a machine on 
25 said network; 

running a network monitor on said network machine to collect said network 

traffic; 

said network monitor outputting said collected network traffic in an output file, 
and passing said output file to a policy monitor component of Claim 13 ; 
30 said policy monitor component analyzing said collected network traffic; 

storing said analyzed network traffic in a database; 

examining said analyzed network traffic in said database by querying said 
database using a query tool; 

modifying said initial network security policy file as needed; and 
35 repeating from said ensuring network security policy file is uploaded through 

said modifying said network security policy file until a comprehensive and desired 
policy file is attained. 
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26. (original) The method of Claim 25, wherein said network machine is remote, 
and further comprising uploading said modified network security policy file to said 
remote network machine as needed. 

5 27. (original) The method of Claim 25, further comprising: 

monitoring network traffic by using said attained comprehensive and desired 
policy file. 

28. (original) The method of Claim 27, wherein monitoring network traffic is on a 
10 continuous basis. 

29. (original) The method of Claim 25, further comprising: 

generating reports from said database, and using said generated reports as 
input for further policy refinement and/or using said generated reports for 
1 5 continuously monitoring network traffic. 

30. (original) The method of Claim 29, further comprising: 

encrypting said reports, and sending said encrypted reports to a remote 
secure Web server. 



20 



31 - (original) The method of Claim 30, further comprising: 

accessing said reports on said remote server in a user-friendly manner. 



32. (original) The method of Claim 25, wherein creating an initial network security 
25 policy file, and modifying said network security policy file as needed use a policy 

generator tool. 

33. (currently amended) A system for itera[[c]]tively developing network 
security policy for a network, said system comprising: 

30 means for creating an initial network security policy file; 

means for ensuring said initial network security policy file is uploaded to a 
machine on said network; 

means for running a network monitor on said machine to collect said network 

traffic; 

35 means for said network monitor outputting said collected network traffic in an 

output file, and passing said output file to a policy monitor component of Claim 1 : 

means for said policy monitor component analyzing said collected network 

traffic; 
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means for storing said analyzed network traffic in a database; 

means for examining said analyzed network traffic in said database by 
querying said database using a query tool; 

means for modifying said initial network security policy file as needed; and 
5 . means for repeating from said means for ensuring network security policy file 

is uploaded through said means for modifying said network security policy file until a 
comprehensive and desired policy file is attained. 

34. (original) The system of Claim 33, wherein said network machine is remote, 
10 and further comprising means for uploading said modified network security policy file 

to said remote network machine as needed. 

35. (original) The system of Claim 33, further comprising; 

means for monitoring network traffic by using said attained comprehensive 
15 and desired policy file. 

36. (original) The system of Claim 35, wherein monitoring network traffic is on a 
continuous basis. 

20 37, (original) The system of Claim 33, further comprising: 

means for generating reports from said database, and using said generated 
reports as input for further policy refinement and/or using said generated reports for 
continuously monitoring network traffic. 

25 38. (original) The system of Claim 37, further comprising: 

means for encrypting said reports, and sending said encrypted reports to a 
remote secure Web server. 

39. (original) The system of Claim 38, further comprising: 

30 means for accessing said reports on said remote server in a user-friendly 

manner. 

40. (original) The system of Claim 33, wherein means for creating an inftial 
network security policy file, and modifying said network security policy file as needed 

35 uses a policy generator tool. 
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